Jenkins Tuleap Authentication Plugin non-constant time token comparison

2023-08-1615:30:18

Google

osv.dev

jenkins

tuleap

authentication

plugin

security

comparison

token

validation

attack

software

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

37.2%

JSON

Jenkins Tuleap Authentication Plugin 1.1.20 and earlier does not use a constant-time comparison when checking whether two authentication tokens are equal.

This could potentially allow attackers to use statistical methods to obtain a valid authentication token.

Tuleap Authentication Plugin 1.1.21 uses a constant-time comparison when validating authentication tokens.

CPENameOperatorVersion
io.jenkins.plugins:tuleap-oautheq1.0.0
io.jenkins.plugins:tuleap-oautheq1.1.16
io.jenkins.plugins:tuleap-oautheq1.1.14
io.jenkins.plugins:tuleap-oautheq1.1.9
io.jenkins.plugins:tuleap-oautheq1.1.20
io.jenkins.plugins:tuleap-oautheq1.1.11
io.jenkins.plugins:tuleap-oautheq1.1.13
io.jenkins.plugins:tuleap-oautheq1.1.10
io.jenkins.plugins:tuleap-oautheq1.1.17
io.jenkins.plugins:tuleap-oautheq1.1.1

Name	Operator	Version
io.jenkins.plugins:tuleap-oauth	eq	1.0.0
io.jenkins.plugins:tuleap-oauth	eq	1.1.16
io.jenkins.plugins:tuleap-oauth	eq	1.1.14
io.jenkins.plugins:tuleap-oauth	eq	1.1.9
io.jenkins.plugins:tuleap-oauth	eq	1.1.20
io.jenkins.plugins:tuleap-oauth	eq	1.1.11
io.jenkins.plugins:tuleap-oauth	eq	1.1.13
io.jenkins.plugins:tuleap-oauth	eq	1.1.10
io.jenkins.plugins:tuleap-oauth	eq	1.1.17
io.jenkins.plugins:tuleap-oauth	eq	1.1.1